Advances in information and communication technologies bring with all their benefits also concerns with respect to security issues. Data no longer reside on mainframes physically isolated and located within an organization, where physical security measures can be taken to defend the data and the system. Modern solutions are heading towards open, interconnected environment where storage outsourcing and operations on untrusted servers happen frequently. The old server-centric protection model locks the data in a database server and uses a traditional access control model to permit access to data. To resolve this security problem, which is emphasized in the field of enterprise data management systems, grid computing, or other distributed/peer-to-peer data management systems, a data-centric protection (DRM-like) model is proposed where data is cryptographically protected and allowed to be outsourced or even freely float on the network. Rather than relying on different networks to provide the confidentiality, integrity and authenticity of data, insecure networks are assumed and data is protected at the end points of communication channel. Data will be encrypted and only authorized users which need to access the data will receive the decryption keys which in turn will allow them to decrypt the data. The DRM system ensures end-to-end confidentiality which from security point of view is a great improvement regarding control over data distribution and privacy of the different users, in particular in the medical healthcare world.
In healthcare, however, access to data is very often given on an ad-hoc basis, e.g. in emergency situations. For the above describe solution to be accepted by the medical world, it is imperative to include an emergency access possibility: the life of patients sometimes depends on the ability of care providers to access data. Even if security is an important feature, it is still less important than patient's safety. Any healthcare provider that is treating a patient must get access to the relevant data. In the data-centric protection models, this means he needs the keys that are used for encrypting the data. A previously suggested solution is based on the use of a trusted agent which releases data keys for medical data in the emergency cases.
Normally, published DRM-protected data is encrypted and a License Server only issues licenses, i.e. decryption keys, to requesting users if they have enough rights for accessing the data. An emergency access is therefore difficult to handle in the sense that it represents an exception in the normal behavior of the system: the emergency care provider should be granted a license for decoding the data he wants to access even if he has no normal legitimate right on it. Legitimateness of access must consequently be proved later such that data privacy is eventually still ensured. Logging of emergency accesses is then required.
In a previously suggested solution the emergency access control problem is how to issue emergency licenses and log such events. An infrastructure of trusted agents is deployed to issue an emergency license upon a request for emergency access. A new trusted and available component responsible for handling emergency situations, still enforcing data secrecy, is therefore needed. It will in fact consist of a parallel infrastructure that can be deployed at the same time as an existing DRM system.
The emergency authority generates new emergency key pairs which are transmitted to all its emergency agents. In addition to that, only the public keys are sent to license servers, such that they can create emergency licenses for newly protected data. In addition to encrypting the content key the intended user's public key, the license sever will encrypt the content key also with emergency key. All the private emergency keys must be known by every emergency agent such that data availability is ensured.
However, the solution described above has several problems. First of all, if one of the emergency keys is compromised, a number of data items are affected, i.e. they are compromised too. In order to reduce the consequences the number of emergency keys could be increased (till using one emergency key per data item), which will consequently increase the number of keys the trusted agents have to manage and store (up to a key per data item). Obviously, this approach does not scale.
Another problem is that at the time of establishing data protection and creation of emergency license the (supposedly secret) emergency key has to be known.
Hence, an improved and simplified method for managing encrypted data items would be advantageous, and in particular a more simplified and/or reliable method of issuing decryption keys to healthcare providers in emergency situations would be advantageous.